AMENDMENTS TO THE CLAIMS 



This listing of claims will replace all prior versions, and listings, of claims 
in the application: 

Listing of Claims: 



1 1 . (Currently Amended) A machine implemented method of 

2 monitoring traffic flow in a monitoring device disposed to receive network traffic 

3 packets , the method comprising: comprises: 

4 producing statistics corresponding to a parameter of traffic flow to trace 

5 the source of an attack, with producing further comprising: 

6 mapping the traffic flow into a plurality of buckets by applying a hash 

7 function "f(h)" to the parameter of the traffic flow to output an integer 

8 corresponding to one of the buckets; 

9 accumulating statistics from the packets; and 

10 comparing the number of buckets to a threshold; and 

1 1 determining whether the number of buckets should be divided into more 

12 buckets or combined into fewer buckets based on comparing the number of 

13 buckets to the threshold. 

1 2. (Allowed) The method of claim 1 wherein the buckets are storage 

2 areas in a memory space of the monitor device. 

1 3. (Allowed) The method of claim 1 wherein as the number of 

2 buckets changes, the buckets have values derived from the buckets prior to the 

3 change. 
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1 4. (Allowed) The method of claim 1 wherein the hash function adapts 

2 to map to the new number of buckets, as the new number of buckets changes. 

1 5. (Allowed) The method of claim 1 wherein comparing statistic 

2 values comprises: 

3 comparing the value accumulated in the bucket to a threshold that depends 

4 on the number of buckets. 

1 6. (Allowed) The method of claim 1 wherein the parameter is the 

2 count of how many packets a data collector or gateway examines. 

1 7. (Allowed) The method of claim 1 wherein as a value of a 

2 parameter for one bucket approaches a threshold, the monitoring device raises an 

3 alarm. 

1 8. (Allowed) The method of claim 1 wherein the hash function 

2 changes periodically in a randomly secret manner so that packets are reassigned 

3 to different buckets. 

1 9. (Allowed) The method of claim 1 wherein the variable number of 

2 buckets dynamically adjusts the amount of traffic and number of flows monitored, 

3 so that the monitoring device is not vulnerable to a denial of service attack against 

4 its own resources. 

1 10. (Allowed) The method of claim 1 wherein the variable number of 

2 buckets efficiently identifies the source or sources of attack by breaking down 

3 traffic into different buckets and examining statistics accumulated for a parameter 

4 and a corresponding threshold in each bucket. 

1 11. (Allowed) The method of claim 1 wherein the traffic is monitored 

2 at multiple levels of granularity, from aggregate to individual flows. 



SY: RIV-0440 37 CFR 1.312 Amendment 



3 



1 12. (Allowed) The method of claim 1 wherein the method is applied to 

2 monitoring of TCP packet ratios and repressor traffic. 

1 13. (Allowed) The method of claim 1 wherein the threshold is a first 

2 threshold and the method further comprises: 

3 comparing accumulated statistic values from the buckets to second 

4 threshold values to determine that an event is of significance. 

1 14. (Currently Amended) A computer program product residing on a 

2 computer readable storage medium for monitoring network traffic flow in a 

3 network , the computer program product comprising comprises instructions for 

4 causing a computer to: 

5 map traffic flow into a plurality of buckets by applying a hash function 

6 "f(h)" to a parameter of the traffic flow to output an integer corresponding to one 

7 of the buckets; 

8 accumulate statistics from the packets; and 

9 compare the accumulated statistic values from the buckets to configured 

10 threshold values corresponding to the number of buckets to determine that an 

1 1 event is of significance; and 

12 adjust the number of buckets as the number of buckets approaches a 

13 second threshold. 

1 15. (Allowed) The computer program product of claim 14 wherein 

2 based on the second threshold, the buckets are divided into more buckets or 

3 combined into fewer buckets 

1 16. (Allowed) The computer program product of claim 14 wherein 

2 instructions to monitor further comprise instructions to 

3 divide the bucket into a different number of new buckets containing values 

4 derived from the original bucket. 
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1 17. (Allowed) The computer program product of claim 14 wherein the 

2 hash function adapts to map to the new number of buckets as the new number of 

3 buckets changes. 

1 18. (Allowed) The computer program product of claim 14 wherein the 

2 parameter is the count of how many packets a data collector or gateway examines. 
3 

1 19. (Allowed) The computer program product of claim 14 wherein the 

2 buckets are storage areas in the memory space of the monitor device. 

1 20. (Allowed) The computer program product of claim 14 wherein the 

2 hash function changes periodically in a randomly secret manner so that packets 

3 are reassigned to different buckets. 

1 21. (Currently Amended) A data collector to collect statistical 

2 information about network flows comprises comprising : 

3 a computer readable medium; 

4 a computing device that executes a computer program product stored on 

5 the computer readable medium comprising instructions to cause the computing 

6 device to: 

7 map traffic flow into a plurality of buckets by applying a hash function 

8 "f(h)" to the parameter of the traffic flow to output an integer corresponding to 

9 one of the buckets; 

10 accumulate statistics from the packets; and 

1 1 compare the accumulated statistic values from the buckets to configured 

12 threshold values corresponding to the number of buckets to determine that an 

13 event is of significance; and 

14 adjust the number of buckets as the number of buckets approaches a 

15 second threshold. 
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1 22-49 (Cancelled) 



1 50. (Allowed) The data collector of claim 21 wherein based on the 

2 second threshold, the buckets are divided into more buckets or combined into 

3 fewer buckets 



1 51. (Allowed) The data collector of claim 21 wherein instructions to 

2 monitor further comprise instructions to 

3 divide the bucket into a different number of new buckets containing values 

4 derived from the original bucket. 



1 52. (Allowed) The data collector of claim 2 1 , wherein the hash 

2 function adapts to map to the new number of buckets as the new number of 

3 buckets changes. 

1 53. (Allowed) The data collector of claim 21 wherein the parameter is 

2 the count of how many packets the data collector examines. 

1 54. (Allowed) The data collector of claim 21 wherein the buckets are 

2 storage areas in the memory space of the monitor device. 

1 55. (Allowed) The data collector of claim 21 wherein the hash 

2 function changes periodically in a randomly secret manner so that packets are 

3 reassigned to different buckets. 



1 56. (Allowed) The data collector of claim 21 wherein instructions to 

2 compare statistic values comprises instructions to: 

3 compare the value accumulated in the bucket to a threshold that depends 

4 on the number of buckets. 
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1 57. (Allowed) The data collector of claim 21 wherein as a value of a 

2 parameter for one bucket approaches a threshold, the monitoring device raises an 

3 alarm. 

1 58. (Allowed) The data collector of claim 21 wherein the variable 

2 number of buckets dynamically adjusts the amount of traffic and number of flows 

3 monitored, so that the data collector is not vulnerable to a denial of service attack 

4 against its own resources. 

1 59. (Allowed) The data collector of claim 21 wherein the variable 

2 number of buckets efficiently identifies the source or sources of attack by 

3 breaking down traffic into different buckets and examining statistics accumulated 

4 for a parameter and a corresponding threshold in each bucket. 

1 60. (Allowed) The data collector of claim 21 wherein the traffic is 

2 monitored at multiple levels of granularity, from aggregate to individual flows. 

1 61 . (Allowed) The data collector of claim 21 wherein the traffic is 

2 applied to monitoring of TCP packet ratios and repressor traffic. 

1 62. (Allowed) The data collector of claim 21 wherein the threshold is a 

2 first threshold and the computer program further comprises instructions to: 

3 compare accumulated statistic values from the buckets to second threshold 

4 values to determine that an event is of significance. 

1 63. (Allowed) A method of monitoring traffic flow in a monitor device 

2 disposed to receive network traffic packets comprises: 

3 producing statistics corresponding to a parameter of traffic flow to trace 

4 the source of an attack, with producing further comprising: 

5 mapping the traffic flow into a plurality of buckets; 



SY: RIV-0440 37 CFR 1.312 Amendment 



7 



6 varying the number of buckets according to the amount of traffic and 

7 number of flows according to down traffic flow into different buckets and 

8 examining statistics accumulated for a parameter and a corresponding threshold in 

9 the bucket. 

1 64. (Allowed) The method of claim 63 wherein varying varies the 

2 number of buckets so that the monitoring device is not vulnerable to DoS attacks 

3 against its own resources. 

1 65. (Allowed) The method of claim 63 wherein varying the number of 

2 buckets comprises: 

3 comparing the number of buckets to a threshold number of buckets; 

4 determining whether the number of buckets should be divided into more 

5 buckets or combined into fewer buckets based on comparing the number of 

6 buckets to the threshold and as the number of buckets changes, the buckets have 

7 values derived from the buckets prior to the change. 

1 66. (Allowed) The method of claim 63 wherein further comprising: 

2 comparing accumulated statistic values from the buckets to second 

3 threshold values to determine that an event is of significance. 

1 67. (Allowed) The method of claim 63 wherein comparing statistic 

2 values comprises: 

3 accumulating statistic values from the packets; and 

4 comparing the values accumulated in the buckets to thresholds that depend 

5 on the number of buckets. 

1 68. (Allowed) The method of claim 63 wherein the variable number of 

2 buckets dynamically adjusts the amount of traffic and number of flows monitored, 

3 so that the monitoring device is not vulnerable to a denial of service attack against 

4 its own resources. 
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1 69. (Allowed) The method of claim 63 wherein the buckets are storage 

2 areas in a memory space of the monitor device and mapping the traffic flow into a 

3 plurality of buckets comprises: 

4 applying a hash function "f(h)" to the parameter of the traffic flow to 

5 output an integer corresponding to one of the buckets. 

1 70. (Allowed) A computer program product residing on a computer 

2 readable medium for monitoring traffic flow in a monitor device disposed to 

3 receive network traffic packets comprises instructions for causing the device to: 

4 produce statistics corresponding to a parameter of traffic flow to trace the 

5 source of an attack, with producing further comprising: 

6 map the traffic flow into a plurality of buckets; 

7 vary the number of buckets according to the amount of traffic and number 

8 of flows according to down traffic flow into different buckets and examining 

9 statistics accumulated for a parameter and a corresponding threshold in the 
10 bucket. 

1 71. (Allowed) The computer program product of claim 70 wherein 

2 instructions to vary, vary the number of buckets so that the monitoring device is 

3 not vulnerable to DoS attacks against its own resources. 

1 72. (Allowed) The computer program product of claim 70 wherein 

2 instructions to vary comprises instructions to: 

3 compare the number of buckets to a threshold number of buckets; 

4 determine whether the number of buckets should be divided into more 

5 buckets or combined into fewer buckets based on comparing the number of 

6 buckets to the threshold and as the number of buckets changes, the buckets have 

7 values derived from the buckets prior to the change. 
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1 73. (Allowed) The computer program product of claim 70 further 

2 comprising instructions to: 

3 compare accumulated statistic values from the buckets to second threshold 

4 values to determine that an event is of significance. 

1 74. (Allowed) The computer program product of claim 70 wherein 

2 instructions to compare statistic values' comprises instructions to: 

3 accumulate statistic values from the packets; and 

4 compare the values accumulated in the buckets to thresholds that depend 

5 on the number of buckets. 

1 75. (Allowed) The computer program product of claim 70 wherein the 

2 variable number of buckets dynamically adjusts the amount of traffic and number 

3 of flows monitored, so that the monitoring device is not vulnerable to a denial of 

4 service attack against its own resources. 

1 76. (Allowed) The computer program product of claim 70 wherein the 

2 buckets are storage areas in a memory space of the monitor device and 

3 instructions to map the traffic flow into a plurality of buckets comprises 

4 instructions to: 

5 apply a hash function "f(h)" to the parameter of the traffic flow to output 

6 an integer corresponding to one of the buckets. 

1 77. (Allowed) The data collector of claim 21 further comprising: 

2 a port to link the data collector to a central control center. 
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